Microsoft Touts Resistance to an FBI Snooping Request

Microsoft disclosed on Thursday that it fought off an FBI National Security Letter (NSL) request that had sought account information about one of its enterprise customers.

The details, as well as the name of the customer involved, were expunged from a court order describing the case, which is dated May 21. The order just outlines that Microsoft had received the NSL request from the FBI and had contested it. Later, the government withdrew its request. Microsoft wasn't able to publicly discuss the case until today, according to Brad Smith, Microsoft's general counsel and executive vice president for legal and corporate affairs, in a blog post.

Smith said that Microsoft initiated the legal challenge in this case because of its commitment to notify "business and government customers" about any legal orders it may receive. Microsoft notifies the customer unless it receives a government gag order prohibiting such action, Smith explained. Microsoft went to court in this case to contest a speech rights restriction.

Microsoft's general practice is to seek permission from the customer to disclose the information or it will try to direct the government to get the information itself from the customer, according to Smith.

In this case, the court order indicated that the FBI simply got the information directly from the targeted company. The order states that "the FBI obtained the requested information through lawful means from a third party, the Customer, in a way that maintains the confidentiality of the underlying investigation."

Microsoft's Transparency Efforts
Microsoft publishes a "Law Enforcement Requests Report" every six months that includes aggregate numbers about the legal request it receives. However, most of the requests are for information about the accounts of individuals using its consumer products, rather than enterprise users. Smith said that getting law enforcement requests about the company's enterprise customers was "extremely rare."

Microsoft only recently was granted permission to report U.S. Foreign Intelligence Surveillance Act (FISA) requests in bulk. The company reported that it received 1,000 or fewer FISA orders to disclose customer content from January to June in 2013. Also in that same period, Microsoft received less than 1,000 FISA orders for account information. As for the NSLs, Microsoft indicated that it had received 1,000 or less of those requests in that time period.

Microsoft, of late, has been publicizing its efforts to protect the privacy of its customers. It's been an uphill battle for the company ever since former NSA contractor Edward Snowden provided documents disclosing that Microsoft was the first company to sign up for the NSA's secret PRISM program, which provides a means to tap into the traffic of Internet service providers.

That negative publicity is problematic for Microsoft's cloud services expansion into European markets. Europe has far stronger privacy protections for individuals and companies than the United States. In response, Microsoft added message encryption to Office 365, which is a free service with E3 and E4 business subscriptions (consumers don't get the encryption protections). Microsoft also gave assurances to companies on having a choice where their data are stored. An EU agency recently endorsed Microsoft's cloud services for adding those data location assurances.

Brendon Lynch, Microsoft's chief privacy officer, highlighed data privacy for customers as "a top priority" for Microsoft's cloud services. He pointed to a new white paper to that effect.

EFF Endorsement
Microsoft bragged this month that it got six out of six stars in the Electronic Frontier Foundation's fourth annual report on company efforts to ward off government snooping. The EFF's report is titled, "Who Has Your Back."

"We're pleased to give Microsoft credit for challenging a government data demand in court," the EFF's report states. "And finally, we are particularly impressed by Microsoft’s transparency report, which includes a special report about National Security Letters and FISA court orders."

While that statement appears to be a glowing endorsement of Microsoft, the Internet and privacy watchdog group also commissioned analysis by Silk, a data analysis company. Silk provided its assessments about how compliant service providers were in response to government requests. Microsoft and Yahoo were deemed most likely to disclose such information.

Microsoft and Yahoo had compliance rates of 81 percent and 77 percent, respectively, in response to law enforcement requests, according to Silk's analysis. Those rates were the highest of the Internet service providers analyzed relative to the volume of requests received. In contrast, Facebook's compliance rate was 63 percent while Google's was 57 percent, according to Silk's analysis.